The Incident Response edition of '''Second Look™: Linux Memory Forensics''' is designed for use by investigators who need quick, easy, and effective Linux memory acquisition and analysis capabilities.

+

GRR is an Incident Response Framework focused on Remote Live Forensics.

−

== Memory Acquisition ==

+

= See also =

−

Second Look™ preserves the volatile system state, capturing evidence and information that does not exist on disk and may otherwise be lost as an investigation proceeds. A command-line script allows for acquisition of memory from running systems without introducing any additional software. A memory access driver is provided for use on systems without a native interface to physical memory.

+

* [[rekall]]

−

== Memory Analysis ==

+

= External Links =

−

Second Look™ interprets live system memory or captured memory images, detecting and reverse engineering malware, including stealthy kernel rootkits and backdoors. A kernel integrity verification approach is utilized to compare the Linux kernel in memory with a reference kernel. Pikewerks provides thousands of reference kernels derived from original distribution kernel packages, and a script for creating reference kernels for other systems, such as those running custom kernels.

+

* [https://code.google.com/p/grr/ Project site]

+

* [https://code.google.com/p/grr/wiki/ProjectFAQ Project FAQ]

+

* [http://grr.googlecode.com/git/docs/index.html Documentation]

−

== Supported Systems ==

+

== Publications ==

−

Second Look™ is regularly updated to support analysis of the latest kernels and the most commonly used Linux distributions. The following are its capabilities as of May 2011: